← Retour aux CVEs
CVE-2026-41271
HIGH8.3
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.
Details CVE
Score CVSS v3.18.3
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie4/23/2026
Derniere modification4/24/2026
Sourcenvd
Observations honeypot0
Produits affectes
flowiseai:flowise
Faiblesses (CWE)
CWE-918
References
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8(security-advisories@github.com)
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.